General Data Protection Regulation (GDPR), the new EU data security and privacy law, officially approved as the law in April 2016, and slated to come into effect by May 2018, will shake up enterprises in a big way.

Enterprises, on whom the burden of compliance falls, have a long way to go. A recent survey from Experian and the Ponemon Institute reveals only 24 percent of companies surveyed say they have a high degree of readiness to adhere to the GDPR, and 59 percent of respondents do not understand what they need to do to comply in the first place. Nevertheless, compliance is expedient. About 69 percent of respondents believe failure to comply with these regulations would have an impact on their global business.

Privacy by Design Approach

GDPR, in essence, adopts a “Privacy by Design” approach, aiming to minimise collection of personal data to the extent absolutely required, making sure personal data no longer required is deleted, restricting access to sensitive data on a need-basis, and making sure data is secured and protected through its entire lifecycle. However, the new law also puts in place some stringent obligations on data processors, and enterprises may find some compliance tasks, such as notifying data breach victims on a global scale, difficult to perform.

New technologies and personal is needed

GDPR compliance is also costly. About 57 percent of enterprises surveyed by Experian and the Ponemon Institute are investing in new technologies such as consent management, analytics, and encryption, to remain compliant. About 55 percent of enterprises are appointing data protection officers, another requirement under GDPR.

The new GDPR is, in a sense, an evolution of the incumbent Data Protection Directive (DPD) rules, filling the critical gaps in existing EU Data Protection Directives, factoring in the advancements in technologies since the regulations were first established in 1995. While large enterprises already compliant with industry standards such as ISO 27001, PCI DSS, or SANS Top 20 may find GDDR more easy to comply than others, small and medium enterprises are finding the scale-up stiff, challenging, and costly.